The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Is my database password really safe in an includes directory?

I am about to upload my first database driven website. I've created an includes directory, and inside it, I've placed a php file that is used to connect to the MySQL database. Is this db.php file secure enough like that, or are there other measures I should take to ensure my database password is safe?

Thanks a lot so far. Another question though: I have also created an admin section to use to update the website. All the files for the admin section are placed in a folder called admin. So if I place the admin folder up there where I've securely placed my includes folder, it should be safe, right? Sounds logical, but I'd like to hear opinions from those more experienced than I. Thanks a lot guys/gals!

People won't hack your site and get that info by entering a url into their web-browser. It's only when you allow variable input into an include(_once) or a require(_once) that the problems start. Don't worry about it !

Thanks a lot so far. Another question though: I have also created an admin section to use to update the website. All the files for the admin section are placed in a folder called admin. So if I place the admin folder up there where I've securely placed my includes folder, it should be safe, right? Sounds logical, but I'd like to hear opinions from those more experienced than I. Thanks a lot guys/gals!

Putting the admin folder above the document root will stop you from being able to access it. It will need to be inside the root site root folder (usually public_html) to be accessed from a web browser. However, I would recommend you protect the admin folder with a .htaccess file.

Thanks for all the help so far.
I think I've got it sorted out. How does this sound?:
I uploaded my admin folder to my webspace, and then used Protect Directory in the Cpanel to assign a password. My question: Is this the same as manually adding/editing the htaccess and htpasswd files? If not, is it secure?

Another quick question, if I may: If I put my includes directory above my site root, how do I link to my included files? Right now I'm using this:

include $_SERVER['DOCUMENT_ROOT'] . '/includes/db.inc.php';

What should I replace this with, if I the includes folder is above the root?

Hey Mark, as I said above, there are hundreds of commercial scripts that keep the config info for a mysql database within the public sector. Take vBulletin for example. Look at OT forums, even they have their mysql config file available for people to open with their browser:

There's no way people can read the contents of that file via their browser. Don't worry about all these extra security measures including .htaccess. If someone were to get into that file it would be either by hacking your server and then they'd have access to everything, or like I said above, when you allow variable input to an include or a require and don't cleanse the incoming request variable which is being passed to the function. Even then a .htaccess won't protect you as the require is being done server-side which'll in turn ignore any .htaccess file

Hey Mark, as I said above, there are hundreds of commercial scripts that keep the config info for a mysql database within the public sector. Take vBulletin for example. Look at OT forums, even they have their mysql config file available for people to open with their browser:

There's no way people can read the contents of that file via their browser. Don't worry about all these extra security measures including .htaccess. If someone were to get into that file it would be either by hacking your server and then they'd have access to everything, or like I said above, when you allow variable input to an include or a require and don't cleanse the incoming request variable which is being passed to the function. Even then a .htaccess won't protect you as the require is being done server-side which'll in turn ignore any .htaccess file

If something gets screwed up with the server configuration that causes the PHP code to not be parsed, the PHP file could be served in plain text format.